This guide assumes you already have a VPC set with a NAT acting as a gateway to a private subnet.
In this example I want to port forward port 2222 from the NAT to port 22 on an instance in the private subnet.
Something like this
SSH into NAT
To accomplish this I am going to us IPtables from within my NAT instance.
My NAT instance has Elastic IP 18.104.22.168
SSH to it
> ssh -i .ec2/pats-keypair.pem firstname.lastname@example.org
The private server is at 10.0.1.30, The internal IP of the nat is 10.0.0.25
Run the following command to update the IP tables to route port 2222 from the NAT to port 22 on the private server
> sudo iptables -t nat -I PREROUTING -d 10.0.0.25 -p tcp --dport 2222 -j DNAT --to 10.0.1.30:22
Update security group for NAT
From the VPC click on Security Groups then choose the security group associated with your NAT, in my case it’s the default. (or you could create a new security group and associate it)
Click on the Inbound Tag. Select Custom TCP Rule. Enter 2222 and click Add Rule.
Click Apply Rule Changes.
Make sure the port 2222 has been added. (I had an issue with this, not sure why I did hit apply rule changes)
From outside the system SSH into the system using port 2222 to forward to the system in the private subnet.
> ssh -i .ec2/pats-keypair.pem -p 2222 email@example.com
> ifconfig -a
Yep this is the correct machine it has internal IP address 10.0.1.30